Overview

Lenovo Security Advisory: LEN-2015-010

Potential Impact: Man-in-the-Middle Attack

Severity: High

Chris Palmer, a developer working for Google on Chrome, discovered that Lenovo delivers notebooks with the adware “Superfish” pre-installed. Research shows that it’s being pre-installed since at least September 2014, where a forums post about Superfish appeared.

This software acts as an SSL man-in-the-middle in order to collect data and inject ads into websites. This is accomplished seamlessly because SuperFish installs its certificate as a root certificate in the Windows root certificate store. The SuperFish root certificate is installed without any restrictions. Any certificate SuperFish generates will be validated unquestionably, as if it were issued by Microsoft itself. The pre-installed certificate is the exact same on all systems as it seems.

This means that malicious software signed with a SuperFish-generated certificate will also be implicitly trusted by the operating system. Should the SuperFish private key be extracted, which has already happened, anyone would be able to intercept the communications or generate valid software signatures for these computers.

Affect

Inserting a certificate at the factory in turn undermines any VPN, database, and software update connections all only to insert ads on secure shopping websites, basically hijacking every SSL session the laptop makes.

This can easily give way to attackers looking to breach the systems using the security flaws opened up by the software.

Simple Test

If you see an image with “YES” written on it, you have a problem. Do the test with all browsers installed.

(If the browser asks you to confirm/trust/accept with a pop-up it’s good: you’re not affected. But for the future consider that answering yes to those pop-ups is dangerous: you are giving up the security of the connection.)